You may still remember the Mirai botnet and the record breaking DDoS on Dyn at the end of last year. There is now a new IoT botnet spreading in the wild - IoT Reaper. SonicWall Capture Labs Threat Research team has analyzed this threat. Please see IoT Reaper attack diagram below.

Comparing to the Mirai, the IoT Reaper malware has an upgraded spreading ability. It's a well-collected exploit kit itself: 9 existing exploits targeting devices from popular IoT vendors such as Linksys and Dlink are integrated. And the author is still actively adding new exploit supports. Also, a LUA execution environment is integrated for a stronger development potential. Below is one example of the embedded LUA code:

According to the code in the malware, Lua 5.3.3 is used to execute either the hard-coded or newly downloaded Lua codes. There are also multiple features from Lua have been used such as SMTP, FTP and HTTP/HTTPS.

Due to wide spread of IoT reaper, we have noticed an elevated level of IoT targeted exploit activity. Below is the latest two months statistics of IoT device attacks observed in SonicWall Capture Threat Network, where we can see an obvious increase in such activity.

Also, 100+ DNS open resolvers were integrated in this malware, which may be used as reflector in real dns amplification attacks.

SonicWall Capture Labs Threat Research team has analyzed the malware and vulnerabilities associated with IoT Reaper and developed the following signatures: